I'm trying to build a Blazor application that is hosted on the server and the starting point is inside a razor page. Something like that:
<component type="typeof(Main)" render-mode="ServerPrerendered" param-Data="@simple"/>
My questions are:
What if my razor page does have a custom authentication based on database values inside the OnGetAsync
method - do I need to redo some of that stuff inside blazor or does the stateful component only gets rendered when the razor page works ?
What happens if I have an arbitrary if/else block that would have a button call, would that button call be guarded by the state ?
Something along the lines:
@if (HasPermission)
{
<button type="button" onclick="MutateDatabase">MutateDatabase</button>
}
I assume you run Blazor Server (At the time of writing WASM is still in preview and will be quite different security-wise).
The documentataion states that Blazor does indeed integrate with ASP.NET Core identity:
Blazor Server apps include a built-in
AuthenticationStateProvider
service that obtains authentication state data from ASP.NET Core's HttpContext.User. This is how authentication state integrates with existing ASP.NET Core server-side authentication mechanisms.
Now, to your questions:
Given your rendering mode, for Blazor to kick in, the Razor page has to render an initial state and mark the element where Blazor is to manage the view later on. The way AuthorizeAttribute works (I presume this is what you meant?) will block the page from rendering, so this should prevent Blazor from starting altogether - you will get redirected away to authenticate. Once your users are past that gate though - be aware that Blazor handles [Authorize]
on child controls differently:
Only use
[Authorize]
on@page
components reached via the Blazor Router. Authorization is only performed as an aspect of routing and not for child components rendered within a page. To authorize the display of specific parts within a page, useAuthorizeView
instead.
(this doesn't seem to be your case, but I'd put it here just in case)
I'm not entirely sure if I understand the statement here: circuit
is the term MS uses to identify the slice of server where your application instance lives while it's displayed to a client. The connection is maintained via websockets and is generally scoped to a session (check out cookies and url parameters to your /_blazor
endpoint). The user is however not guaranteed to have same circuit throughout application lifetime (due to connection issues or server load-balancer config) - and it is fine, you are expected to handle state persistance across circuits yourself.
It's probably best to follow Blazor's security management page: you have a couple of options to ensure you're catering for authenticated users:
<AuthorizeView>
to control what gets rendered:<AuthorizeView>
<Authorized>
<button type="button" onclick="MutateDatabase">MutateDatabase</button>
</Authorized>
<NotAuthorized>
<p>You're not signed in.</p>
</NotAuthorized>
</AuthorizeView>
You can technically use an if (user.IsInRole())
statement, but that might not get updated when User AuthenticationState changes.
If this is not sufficient, you can either pick up cascading AuthenticationState
parameter or look at implementing your own AuthenticationStateProvider
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加